The haproxy config does not work for me unless I add the ssl option to the tcp frontend, instead of the http one.

TLS-ALPN-without-downtime.md

@@ -104,7 +104,7 @@ In this example the PROXY protocol is used between `bk_https` and `fe_https` so
 # New
 frontend fe_alpn
   mode tcp
-  bind :443
+  bind :443 ssl crt /etc/ssl/haproxy.pem
   tcp-request inspect-delay 5s
   tcp-request content accept if { req_ssl_hello_type 1 }
   use_backend bk_acmesh if { req.ssl_alpn acme-tls/1 }
@@ -121,7 +121,7 @@ backend bk_https
 # Existing, changed from :443 -> 127.0.0.1:8443
 frontend fe_https
   mode http
-  bind 127.0.0.1:8443 ssl crt /etc/ssl/haproxy.pem accept-proxy
+  bind 127.0.0.1:8443 accept-proxy
   # ...
 ```